image
Belgian ISP Belnet has restored its service after a massive distributed denial of service (DDoS) attack earlier this week that cut off Internet access to numerous government, public, scientific and educational agencies, including Belgium’s Parliament and some law-enforcement agencies. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. The attack occurred Tuesday at 11 a.m. (GMT) in Europe and affected “all the institutions connected to the Belnet network,” which number about 200, according to a statement published Wednesday on Belnet’s website. Moreover, upon investigation, it seems the attack–a coordinated effort targeting the Belgium government–also affected other ISPs in what was the largest DDoS attack the country has seen, according to reports. Belgium is the headquarters of the European Union (EU) and thus a key hub of activity and decision-making that affects the global political and socio-economic landscape. While Belnet restored service to its own network and website by Tuesday evening, the attack continues to have ongoing consequences, with some customers still unable to connect to websites and online services, according to Belnet. “We are fully aware of the impact on the organizations connected to our network and their users and we are aware that this has profoundly disrupted their functioning,” Dirk Haex,…

Source

image
Yet another new information stealer – Panda Stealer – is being spread through a worldwide spam campaign. On Tuesday, Trend Micro researchers said that they first spotted the new stealer in April. The most recent wave of the spam campaign has had the biggest impact in Australia, Germany, Japan and the U.S. The spam emails are masquerading as business-quote requests to lure victims into clicking on booby-trapped Excel files. The researchers found 264 files similar to Panda Stealer on VirusTotal, with some of them being shared by threat actors on Discord. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. That’s not surprising, given recent trends: Cisco’s Talos cybersecurity team recently found that threat actors have infiltrated workflow and collaboration tools like Slack and Discord to slip past security and deliver info-stealers, remote-access trojans (RATs) and other malware. … Or Maybe Collaborating on More of the Same Then again, threat actors could also be using Discord to share the Panda Stealer build with each other, Trend Micro suggested. Once Panda gets cozy, it tries to hoover up details such as private keys and past transactions from cryptocurrency wallets, including Bytecoin (BCN), Dash (DASH), Ethereum (ETH) and Litecoin (LTC). Beyond stealing wallets, it can also filch credentials from applications,…

Source

image
An SQL-injection vulnerability discovered in a WordPress plugin called “Spam protection, AntiSpam, FireWall by CleanTalk” could expose user emails, passwords, credit-card data and other sensitive information to an unauthenticated attacker. Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites, and is mainly used to weed out spam and trash comments on website discussion boards. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. According to Wordfence, the issue (CVE-2021-24295, which carries a high-severity CVSS vulnerability rating of 7.5 out of 10) arises thanks to how it performs that filtering. It maintains a blocklist and tracks the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves. “Unfortunately, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php, which was used to insert records of these requests into the database, failed to use a prepared SQL statement,” according to the firm, which released an analysis on Tuesday. SQL injection is a web-security vulnerability that allows attackers to interfere with the queries that an application makes to its database, so that they intercept or infer the responses that databases return when queried. Prepared statements are one of the ways to prevent this; they…

Source

image
A veritable cornucopia of security vulnerabilities in the Exim mail server have been uncovered, some of which could be chained together for unauthenticated remote code execution (RCE), gaining root privileges and worm-style lateral movement, according to researchers. The Qualys Research Team has discovered a whopping 21 bugs in the popular mail transfer agent (MTA), which was built to send and receive email on major Unix-like operating systems. It comes pre-installed on Linux distributions such as Debian, for instance. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. “MTAs are interesting targets for attackers because they are usually accessible over the internet,” according to the Qualys analysis, issued on Tuesday. “Once exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers,” Qualys Senior Manager of Vulnerabilities Bharat Jogi said in a post. Researchers said that according to a Shodan search, nearly 4 million Exim servers are directly exposed to the internet. Out of the 21 vulns, which Qualys collectively dubbed “21 Nails,” 10 of them can be exploited remotely. And, most of them can be exploited in either default configuration or “in a very common configuration,” according to Qualys. Also, most of them affect all versions…

Source

image
Peloton has hit a pothole. Its API was leaking riders’ private data, it ignored a vulnerability disclosure from a penetration testing company, and it partially fixed the hole but didn’t get around to telling the researcher until he reached out to a cybersecurity journalist for some help. This is bad news for Peloton, coming just before other, far more horrific news hit the headlines: Namely, on Wednesday, the company recalled all of its treadmills, which have been linked to 70 injuries and the death of one child. It also admitted that it had been wrong to refuse the Consumer Product Safety Commission’s request that it pull the equipment: In April, the CPSC warned consumers to stay off the Peloton Tread+, which “poses serious risks to children for abrasions, fractures, and death.” The CPSC said that it had received multiple reports of children, and at least one pet, getting trapped, pinned, and pulled under the rear roller. The commission posted a disturbing video showing a child getting pulled under the front rollers (he wasn’t injured). “It is believed that at least one incident occurred while a parent was running on the treadmill, suggesting that the hazard cannot be avoided simply by locking the device when not in use,” the CPSC said. “Reports of a pet and objects being sucked beneath the Tread+ also suggest possible harm to the user if the user loses balance as a result.” Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a…

Source

image
Federal law enforcement in Maryland has shut down a fraudulent website targeting immigrant communities that claimed to be for a company developing a COVID-19 vaccine. Instead, the site was stealing information from people with the purpose of using it for future cybercriminal activity. The U.S. Attorney’s Office for the District of Maryland, working with Homeland Security Investigations (HSI) in Baltimore, seized “Freevaccinecovax.org,” “which purported to be the website of an actual biotechnology company developing a vaccine for the COVID-19 virus,” according to a release on the office’s website posted earlier this week. Instead, the site was collecting personal information from people who visited it “in order to use the information for nefarious purposes, including fraud, phishing attacks, and/or deployment of malware.” The site used trademarked logos for Pfizer, the World Health Organization (WHO) and the United Nations High Commissioner for Refugees (UNHCR) on its home page to dupe visitors into thinking it was a legitimate site, according to the release. It collected visitor information by using a drop-down menu asking people to select their city and then apply for information by downloading a PDF file to their computers. The PDF that the site offered to users was written in Cyrillic, suggesting that fraudsters were targeting immigrant communities of people from former Soviet countries of Belarus, Khazakstan, Russia, Turkmenistan and Ukraine, who use Cyrillic script in…

Source

image
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization's own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user's emails and files, both of which are then plundered to launch malware and phishing scams against others. These attacks begin with an emailed link that when clicked loads not a phishing site but the user's actual Office 365 login page — whether that be at microsoft.com or their employer's domain. After logging in, the user might see a prompt that looks something like this: These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. Also, the apps will persist in a user's Office 365 account indefinitely until removed, and will survive even after an account password reset. This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme [full disclosure: Proofpoint is an advertiser on this website]. Ryan Kalember, Proofpoint's executive vice president of cybersecurity strategy, said 55 percent of the company's customers have faced these malicious app attacks at one point or another. "Of those who got attacked, about 22 percent — or one in…

Source

image
Two waves of global financial phishing attacks that swamped at least 50 organizations in December have delivered three new malware families, according to a report from FireEye’s Mandiant cybersecurity team. On Tuesday, the team said that they’ve dubbed the hitherto-unseen malware strains Doubledrag, Doubledrop, and Doubleback. What Mandiant called the “trifecta” spear-phishing campaign twice hit a wide swath of industries worldwide: first on Dec. 2, 2020, with a second wave launched between Dec. 11 and Dec. 18, 2020. The US was the primary target for attacks in both waves, while EMEA and Asia and Australia shared equal suffering in the first wave, as shown in the figure below: These Are No Schlubs Mandiant tracks the threat actor as UNC2529 and says that these guys are pros. Given the “considerable” infrastructure they have at their disposal, their carefully crafted phishing lures, and what the researchers called the “professionally coded sophistication” of the malware, the team says that the UNC2529 attackers seem “experienced and well-resourced.” The UNC2529 gang researched their targets well, tailoring their phishing email subject lines to their intended victims. In one instance, the threat actors masqueraded as an account executive for a small, California-based electronics manufacturer, sending out seven phishing emails that targeted a slew of industries, from medical to adefense. All of the emails contained subject lines that were specific to the products of the…

Source

image
Pulse Secure has rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe. Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. The zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug is being used in the wild to gain administrator-level access to the appliances, according to research from Pulse Secure’s parent company, Ivanti. It’s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and “allows a remote unauthenticated attacker to execute arbitrary code via license server web services.” It can be exploited without any user interaction. The activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning businesses of the ongoing campaigns. These are being tracked by FireEye Mandiant as being carried out by two main…

Source

image
When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom. Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they're in the habit of re-using the same unusual passwords across multiple accounts associated with different email addresses. The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it's mostly through odd connections between their online and offline selves scattered across the Internet. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts. And yes, hackers get their passwords compromised at the same rate as the rest of us. Which means when a cybercrime forum gets hacked and its user databases posted online, it is often possible to work backwards from some of the more unique passwords for each account and see where else that password was used. SWATTING THE FLY Of all the stories I've written here over the last 11 years, probably the piece I get asked most to recount is the one about Sergey "Fly" Vovnenko, a Ukrainian man who in 2013 hatched and executed a plan to buy heroin off the dark web, ship it to our…

Source